Modern applications require a high level of security. In particular, many online services require a secure method which enables a secured access to sensitive data. However, current applications often fail to deliver a desired level of security. One of the reasons is that operations processed on use's device(s) are prone to be manipulated in various ways since the user-processed operations cannot be fully protected, e.g., by a (trusted) central system.
As an example, a typical application executed on a client may connect to a server to retrieve security-critical data. The application may perform an authentication of the user and may transfer the security-critical data from the server to the client. If the application on the client is manipulated or hacked, an intruder may gain access to the authentication data and may observe or manipulate the security-critical data transferred to the client. Also, the data entered by the user and the data communicated between the server and the client may be observed, for example, by employing exploits or key loggers, and by sniffing of data packets or phishing of authentication data or other undesirable data observation, manipulation, or corruption, which allows to re-use the observed data later on in an undesirable manner.
One of the reasons that facilitates such attacks is that a user may execute applications on a possibly untrusted system. The system may be corrupted, for example, by various kinds of malicious code, such as spyware, viruses, trojans or malware, security exploits, or other code that allows access to and manipulations of the data communicated between the application and the accessed online service.
Another security issue relates to unauthorized execution of applications, wherein data communicated to such applications from a server may be used in an unauthorized way. This is due to the fact that applications and data installed on a client device are possibly prone to malicious manipulations and unauthorized access. The related code may be modified such that a server of the application provider would not be capable to correctly authenticate the integrity of the application, possibly leading to transfer of security-critical data to the unauthorized application.
Common approaches to handle such security issues include employment of encryption methods and, for example, checking of integrity of applications and systems, e.g., by certificates or other cryptographic signatures and methods. Yet, it remains one of the core problems of computer security technology that each piece of code executed on an unsecured client or system could easily be attacked or manipulated and, therefore, creates a security threat.
Therefore, it is an object of the present disclosure to improve the security level and integrity of applications.